The value of this property is questionable since any sniffer or Fiddler could easily remove it. That said, it could slow down the average script kiddie for 15 seconds.

You can do it a few ways. I added this to the Global.asax and catch all the cookies on the way out the door. You could choose to do this to specific cookies if you like.

protectedvoid Application_EndRequest(Object sender, EventArgs e)

{

foreach(string cookie in Response.Cookies)

{

conststring HTTPONLY = ";HttpOnly";

string path = Response.Cookies[cookie].Path;

if (path.EndsWith(HTTPONLY) == false)

{

//force HttpOnly to be added to the cookie

Response.Cookies[cookie].Path += HTTPONLY;

}

}

}

Of course, ASP.NET 2.0 can do all this for you via a Web.config setting.

SILLY GOTCHA: If you do this in your ASP.NET 1.1 app and then run your 1.1 app under 2.0 without changes, be aware that ASP.NET 2.0 will blindly append ANOTHER HttpOnly after every cookie giving you the value TWICE. You'll then need to turn if off in web.config as your code would be handling it.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.